b'                                United States Department of Agriculture\n                                         Office of Inspector General\n                                          Washington, D.C. 20250\n\n\n\nDATE:             April 7, 2011\n\nAUDIT\nNUMBER:           33601-12-Ch (1)\n\nTO:               Dr. Gregory Parham\n                  Administrator\n                  Animal and Plant Health Inspection Service\n\nATTN:             Joanne L. Munno\n                  Deputy Administrator\n                  Marketing and Regulatory Programs Business Services\n\nFROM              Gil H. Harden /s/ Tracy LaPoint (for)\n                  Assistant Inspector General\n                   for Audit\n\nSUBJECT:          APHIS Needs to Establish Better Controls Over Information Systems\n\nThis is a synopsis of a Fast Report on the subject that we issued to the agency. Due to the\nsensitive nature of the information disclosed in that Fast Report, we are unable to provide\npublic access or post the full version on the internet.\n\nDuring audit fieldwork, we determined that the Animal and Plant Health Inspection Service\n(APHIS) implemented a database system in 2006 without ensuring that Federal information\nsystems security requirements were met. Specifically, we found that APHIS\xe2\x80\x99 Information\nTechnology Division (ITD) was not aware that another APHIS division implemented the\ndatabase and could not ensure it met the Federal information systems security requirements for\ncertification and accreditation (C&A).1,2 The database system contains sensitive and Personally\nIdentifiable Information, as well as information obtained from other agencies and departments.\n\nIn response to our Fast Report, dated April 14, 2011, APHIS ITD officials stated they had\nalready notified the Department of Agriculture\xe2\x80\x99s Office of the Chief Information Officer (OCIO)\nregarding the existence of the database system, and would work with the OCIO to complete the\nC&A process. APHIS also agreed to review all APHIS servers, using network scanning tools\navailable, to develop a complete inventory of systems and identify any unauthorized systems, by\n\n1\n  Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal\nInformation and Information Systems, dated March 2006.\n2\n  Certification is a comprehensive assessment of a system\xe2\x80\x99s security features and safeguards to establish whether it\nmeets specified security requirements, and accreditation is the formal declaration by a designated accrediting\nauthority that the system is approved to operate using a prescribed set of safeguards, Departmental Manual 3555-\n001, dated October 18, 2005.\n\x0cDr. Gregory Parham                                                                          2\n\n\nApril 30, 2011. APHIS\xe2\x80\x99 ITD will also direct the program units to report all servers and systems\nthat have not been previously identified, by June 30, 2011.\n\nThis issue, along with any others identified, will be compiled into a final report at the\nconclusion of our audit.\n\x0c'